IoT certificates | Device certs safe to replace?

Re: https://nakedsecurity.sophos.com/2019/12/17/researchers-discover-weakness-in-iot-digital-certificates/

"…Kilgallin is sceptical about pre-loading devices with keys during manufacturing, because it opens up devices to supply chain attacks in which an untrustworthy manufacturer or logistics company tampers with the keys en route.

Certificates also expire, he points out, meaning that they’d have to be re-generated periodically on the device anyway. An alternative, he suggests, is to get better random input during an onboard key generation process. Because IoT devices are network connected, they can easily get true random data from various sources, he says. That would let them generate higher-entropy keys even with limited computing power and memory…"

I’ve been trying to figure out the best way to fix issue for wireless APs and network routers that have their own SSL certificate.
Would it be safe to replace the public and private key on these kinds of devices over SSH with a custom set of certs?
Could this be a long term issue that has to be dealt with by the manufacturers fo these devices we buy?

Would replacing the current cert with one like a Letsencrypt cert be wise even if i had a way to ssh into it and update it with new certs automatically?

I usually catch shade for this sort of opinion, but I don’t consider weak encryption on devices like these to be a major concern. There are MUCH larger fish to fry in terms of IoT security.

I feel comfortable stating that attacks on IoT devices purchased by consumers are nearly all attacks of opportunity rather than targeted attacks. By this I mean these devices are targeted by botnets that will password spray known default credentials, or try issuing commands on susceptible network ports. There are no aggressor botnets targeting public IP blocks in attempt to crack private RSA keys en-masse that I’ve heard of now or in the past. These guys are playing the numbers game, trying to hit as many as possible in the shortest amount of time. An RSA crack doesn’t fit with this strategy.

Now I’m not saying weak encryption isn’t a problem. If you’re in a position where it’s feasible that you may be specifically targeted by a bad actor, then you would definitely want to swap out any poorly encrypted keys. However, if you’re in such a position then you need use devices that are designed with this kind of security in mind. To answer your specific question of replacing inbuilt keys with your own - a good example is Ubiquiti’s Unifi line of products. Their Unifi controller has a feature that allows you to specify your own keys on all associated APs and switches. I don’t know many business-grade appliances that don’t provide mechanisms for swapping in your own crypto. Many of them even request you to do so.

tl;dr - you get what you pay for with IoT security, what else is new

1 Like

I’d always put my own certs on devices, where I can.

If they are already registered with an internet service, router etc. They will need to be reregistered afterwards, but I only use kit that is managed locally.

Are there situations where that should be avoided?

Generally, no. Unless the manufacturer has pre-paired devices and doesn’t give the option of re-pairing.

There are also many devices where you just don’t have that level of control.

But I tend to avoid such hardware, where I can.

1 Like